It’s no longer news to hear of cyber breaches that are attributed to phishing and social engineering in general. In fact the latest high-profile and most damaging data breaches all started with attackers gaining access to the target via spear phishing emails. Phishing is becoming an attacker’s favorite vector to launch an attack with obvious reasons. Work smart not hard – The attacker will want to use the easiest and an assured path to gain access and phishing is proving to be an easy one -no much technical skills required. Secondly, ‘the humans are weak’ if you can trick the employees of your target to provide you information (credentials or grant access to enterprise network ) then no need to waste time and energy circumventing the security measures put in place. There are also spear phishing emails that are designed for individuals who end up divulging PII(Personally Identifiable Information) and other data e.g Credit Card & bank account information, credentials to e-commerce and Social media site etc.
Spear phishing has evolved and has become more sophisticated and more convincing to the recipient. Gone are the days when spear phishing emails were coming from a supposedly a Nigerian prince who has some inheritance worth millions of dollars and need help to bank them abroad. It still amazes me that people feel for these scams and gave out their bank details. The next phase (what I call Gen II) attacker ensured that the email is as legit as possible even getting logos of companies are using real names of individuals who work at the source domain. Banks, e-commerce and retails customers have been targets for such phishing. The client receives email from the vendor/bank requesting them to update their details and do so on a link provided on the email. Once the recipient clicks on the link they are redirected to a rogue site (of course it’s been designed to look like the real one) where they are requested for credentials and other information. Unknowingly to the user they are giving away their credentials to an attacker.
Gen III of spear phishing email is now more specialized and targeting the C-suite level and other top management of an enterprise (Whaling). The attacker takes time to understand their target and the whaling email sent is very specific. The attacker will get the name of the C-suite and address the email like its coming from C-suite colleague, business associate or even an investor in the company. In our recent work we have experienced a client whose CFO received a phishing email from an address that looked like that of her CEO. The names of the two C-suites were correct spelt (even though some were foreign) and the email was requesting CFO to release funds to CEO who had traveled. Incidentally, the CEO had actually traveled and couldn’t be reached on phone. Another case of C-suite executive receiving a similar phishing email but this time from a ‘business associate’ who had moved office and had attached map on .doc attachment. The .doc file had a payload that was supposed to harvest credentials on the device it was downloaded on. Whaling is expected to gain popularity given the high-profile individuals targeted and the reward from the attack.
Just as technology advances so do we expect the same in spear phishing. Long are the days we used to recommend user awareness on the subject (it still works) however with sophistication of spear phishing a more robust solution is required. As noted earlier the spear phishing email are correctly spelt, targeting specific individuals, attacker even has the names of the target making it more convincing and hard to detect. Two Factor Authentications (2FA) on emails was also believed to be secured but again thanks to human weakness it can also be breached. Prof Nasir Memon, of New York University and his doctoral student tested and proved that users can be tricked into sharing their verification code by using guess it…social engineering.
Organizations that have been attacked are now quickly adopting DMARC (Domain-based Message Authentication, Reporting & Conformance). DMARC is a protocol that enables email sender & receivers to determine whether or not a given message is legitimately from the sender and what action to take if not. This protects against direct domain spoofing and more importantly keeps the phishing emails away from the user’s inbox. Spear phishing emails target human weakness and if we get a way of the emails not to get to the users inbox; the war is already half-won.
There are no silver bullets in cyber security, hence no single solution will guarantee winning the war. “The Supreme art of war is to subdue the enemy without fighting” – Sun Zu. Organizations needs to implement security solutions to deter phishing, conduct interactive user awareness – “Show not just tell” as Winn Schwartau puts it and of course if phishing attacks are successful then there should be tools to detect and remediate the threat.
2018 © Villbo Group Limited.